I missed out on the Opera controversy while on vacation

A lot has happened in the Opera world during the week that I was gone for my wedding. I’m still catching up on all the stuff I missed while I was gone, even on the security-update controversy. Even though I had Opera Mini at my fingertips the entire last week, I stayed away from it. Now I gotta read and reply to the hundreds of emails in my backlog.

Let’s start off with the controversy that brewed last week (we all love controversy, don’t we?). On December 18th Opera put out a new version of the desktop browser, Opera 9.1. Opera billed this new version primarily as a feature update, namely the addition of fraud protection to the browser, but not a security upgrade. A few weeks later it was revealed that the new updated version also included two important securityfixes.

Mozilla’s Asa Dotzler had some harsh words for Opera saying that it did a great disservice to their users and that it was irresponsible and unacceptable to release a security update without notifying users. Asa’s blog post made it to Slashdot and other online publications, such as InternetNews.com.

In the future you should always use the latest version of the Opera browser, as Opera’s Johan Borg points out. “Not just because it has the most published security fixes, but also because we constantly improve stability and user interaction to prevent potential future attack vectors.” Having said that, if you haven’t downloaded the Opera 9.1 update yet, what are you waiting for? (Download Opera 9.1 here).

Like this:

Related

One quibble on this: from what I read on the desktop blog, I got the impression it wasn’t an intentional omission so much as a vacation-caused mix-up.

As for leaving them off the changelog due to coordinated disclosure: it’s standard practice among many vendors to list simply “Security fixes” and add details later with the actual disclosure. I think most of the people complaining would have been satisfied with that. (Some wouldn’t, of course. I remember times Mozilla got flak for not providing details the moment the release notes with “security fixes” were posted, and it took them 48 whole hours, OMG!!! And then there’s the full disclosure crowd, who would have wanted details posted back in November…)

Well… I’d rather have my computer be safe and not know about it, than get screwed over by a security hole and know that there’s a hole. I support Opera’s stand on security. Opera did a service to me to patch my browser, not a disservice.

For those who, like Asa, who want to know what changes there are in your browser, you can wait to update your browser. No one forced you to go 9.1 the day it was released.

I wish Asa wasn’t so immature and ignorant of how these security vulnerabilities are published. He’s an insult to Mozilla.

I have no issues with Opera holding back on the security aspects of 9.1. I trust Opera completly on the security issue. They have certainly earned it! The question I have is why some companies, Verisign and others I would assume, would want to hold withhold the information that a fix for a known but unannounced security hole has been released. It certainly makes sence to not announce a security hole prior to the fix being in place. Not everyone upgrades their browser right away. Why would Verisign want to delay the announcement? What do they get by holding off a few days?

OK, so the details were deliberately left out. But was the existence of security fixes left out deliberately, or accidentally? It’s one thing to say “This release contains security fixes, the details of which will be disclosed at a later date.” It’s another to say nothing on the subject.

You highlighted something that I think has been missing from the conversation (both on my end and on Opera’s.) As you quote, Borg said “Not just because it has the most published security fixes, but also because we constantly improve stability and user interaction to prevent potential future attack vectors.”

I’ve read over his comment several times and since you highlighted it here, I’ll post here rather than at my blog. Here’s how I read that statement: “Don’t update simply as a response to our *Published* security fixes. Assume there are *unpublished* security fixes in every release.”

I could be reading way too much into his comment, maybe you can set me straight.

What I’d like to know is this: When Opera ships a new release, does Opera disclose all fixed security vulnerabilities, including those that were discovered in-house that would not otherwise be disclosed by the third party security researcher, and ?

At Mozilla, when we ship a new release, we disclose all vulnerabilities fixed in that release, not just those found by third party security researchers (where one obviously has to disclose because if a vendor didn’t, the outside security researcher probably would.)

The reason that I’m suspicious is that I can’t find any record of fixed vulnerabilities in Opera that were not credited to third parties. If that is indeed the case then it would seem that either Opera engineers and QA are not terribly effective at finding security problems in the Opera code, or Opera doesn’t disclose the flaws discovered in-house.

Will Opera go on the record saying that they disclose all fixed security vulnerabilities and not just those found by third parties?

To be a little more specific, I looked over all of the changelogs available here: http://www.opera.com/docs/changelogs/windows/ for the last two years (Opera 8 and 9) and I couldn’t find a single vulnerability report that wasn’t discovered by a Secunia researcher or some other third party. I wen’t the other direction as well and checked all of the Opera vulnerabilities reported at Secunia and none of them were credited to Opera developers.

If you look at the list of Secunia reported vulnerabilities fixed in Firefox, you’ll see that the overwhelming majority of them were discovered and reported to the public (and Secunia) by Mozilla people. There are a few Firefox vulnerabilities discovered by Secunia researchers, but nothing like with Opera where nearly all of the Opera vulnerabilities were discovered by Secunia researchers (or researchers from other security groups like iDefense.)

So, it’s pretty clear from looking at Opera’s and Firefox’s changelogs and Secunia lists that Firefox disclose internally discovered vulnerabilities and that either Opera doesn’t, or they don’t find any on their own.

Either one of those alternatives should cause Opera users some concern.

If you’d be so kind as to get someone from the Desktop team to respond to my question, that’d be great. Thanks.

– A

WildEnte

January 17, 2007 at 11:28 pm

I think you have to distinguish between what’s secure for Opera users and what’s secure for Open-Source browser users here.

Suppose there is a vulnerability found by some Opera Dev, and fixed. If they write in the changelog what they found, it will make all those Opera users vulnerable that don’t read changelogs and that don’t update their browser. Of course, that argument is controversial since vulnerabilities found by third parties are disclosed in the changelogs. But here the deal is “give and take”, i.e. the finder of the vulnerability can only be credited if the vulnerability is disclosed, creating the incentive to report security issues.

I am not familiar with the way that internally found vulnerabilites are treated at Mozilla. I would guess that because of its open-source nature, the information would become public sooner or later anyway, so you could as well put the info in the changelog.

Now I really don’t want to defend Opera here, I’m just guessing why they might treat reporting those issues differently. I think Opera should (at least) mention that they found a security issue internally, without disclosing any more information about it. As a user I’d know when an update is security relevant, and Opera users that don’t update wouldn’t be more vulnerable than before, i.e. no change as compared to now.

So I agree with Asa (do I?) that the policy of disclosing only vulnerabilities found by third parties sounds a little like “would be bad advertising if we announced every security leak we find”.

WildEnte, if Opera has fixed the vulnerability, and Opera users are properly updated (like with, say, a decent automatic update service) then what’s the harm in disclosing the specifics of the vulnerability. By disclosing the specifics, the other browser vendors can check to see if they’re vulnerable. That way Opera users aren’t the only users that get helped by Opera engineers finding security problems — all users can benefit, and that’s what we’re after right, that all users on the web have a safer experience.

That’s one of the good reasons for Mozilla disclosing the full set of vulnerabilities we find. It can help other vendors test their browsers too. If we kept our findings secret, then whole categories of attack might not ever be tested by other browser vendors and those users could be at higher risk.

I agree with you that this sounds like a case where Opera (and Safari and IE) have determined that announcing all of their security vulnerabilities would lead to some bad press and it would take away much of the “we still had fewer vulnerabilities reported than Firefox” argument — which, if my suspicions about Opera and others not disclosing all security bugs is correct, is a completely fallacious argument.

– A

el_esponjoso

January 19, 2007 at 6:56 pm

Asa, the conclusion is “Mozilla is better in security than Opera” then you make publicity about this in Opera related blogs (as one of here) so that the opera users will be “concerned” and will look for firefox.

I really don’t like Asa Troller and his modus operandi, but he really seems tu have a good point against Opera Software this time, and IMHO is VERY important that at least you Daniel or someone inside the company could give Opera users a good explanation on this; if you or Opera Software says nothing I (and everyone I think) will start to think that Asa is right, wich it could be very dissapointing. Please don’t make us think that way.